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& £ ofl^J l-(Matching Rules)^ &?\] #(Relation Rules)^: i^tb Ir(Rules) 

7}^9] nfl^i= jr ^ *fl-8-SM 5l# ^l^Aoil z^-z]-o) 

A^, ^IE2] U>ol e^7> <g*lsq*l ^ Al^oflA-^ ^] # 

*i* ^^jm ^ $m. 

£. 4 



27-3 



1020030016208 ^^ <£t.\: 2003/4/30 

iS£L 71^^: ol-g-^V ov^ ^^^H y 0 v ^ {METHOD TO DETECT MALICIOUS 

SCRIPTS USING CODE INSERTION TECHNIQUE} 

£ 2 nfl^* ^>7l 4^1 3*33 ^Hl, 

£. 8 £r ^H^* ^-tb ^>7l 4*fl ^ W #7fl 1- tfl^ ^<4, 

5L 10 £ ^ ^*fl ^ ^1 ol^-^xl^ 1- o]^^ 

2 : ^-g- i3^S 4 : # 
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6 : ^3.^B. 10 : 

20 : ^3.^3. &&7] 



^ 2003/4/30 



<15> i^o. i3^E aj-^ofl 3 n a Vol 7 ] ^ o. 0 ^ 

<ie> ov^ ^c (malicious code )^ ti]^A o V^ol tri^ ^Efl ^(harm) 

^^1- ^^fEi w>ol&|>i( computer virus), ^(worm), nejjl H 

-^Ktrojan)!- 5L^>^- 7fl^o]cf. ^^^e^ ^h^H *r>$€ ^ 

^Sa^fl- ^Hr^l, ?A^£r ^H^HCVisual Basic 

Script), mIRC ^H^B, ia^B7} ^^^.S. 7H V & , ^ PHP 

iH^H, i^l = i3^S ^#ol ^|«- ^fl^t}. 

(signature) 7]^]-^ i7fl ^ (scanning)^- ^tr a <f^ 0 l isL^^S. >>)-g-5qji 544. ^-^^ 

, °l^tr 7l^^r Aj-^^i ig^*v «a} °- ^ Alziv-i^l- ^#tr ^ SJEL^ 

^ aI-^-— 5- , <£s^H 8£^r *fl5.£ ^ ^£l^H^ #*Hm (heuristic) ^ 

?fl^, 33 ^ 7 o^l 71^ -i^l A^^Cf. 
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<is> -a- o]^m. <^ ^efl^ <£3}*1*1 ^ ^ ^a^B 71^* # 

s]-S-7]S. *}-£]-. 

<19> 31*8, «hS ^» *V^r 4-g-5]fe t^jel (method) 5E^r ufl^> 

^(intrinsic function) Jl#1-# cfl e] Hfl o] ^ t\cr\^ji cfl^- ia^Bf 

<t M-EfM-^ ^ iH^BS #^}^r °1 

y o V ^£- ^£7> tiling BB>sj7. ^o. iol^] £>*]i£ ov^ o] o]-^ 

(legitimate) ia^Bt ^ iUKfalse positive)7> ^?>] ^cf 

<20> ^ f ^ 7 ]tf^ olBj # ^-4^71 ^*fl Z^S} nfl^- o>^ 

3^ °\5Lo]}*\ x\)<£s\9l^. £ 1 ^ oleitV 33 ^ 71^^- ^^^>7l W *fl°^ * 
*H ^>7l ^r*J*Rr y)^^ Hfloj^l i^Eo] ^^olcf. Cf^o) pfl^c j-^o] 

& ^*m°lF ^ ^91^ ^ 9X^\. tf&tf, 4*J^ Copy ^JEL^ ^ ^91 

ia^Bt ' L0VE-LETTER-F0R-Y0U . TXT . VBS ' o]§.o_^ ^-a>s>zl, 7^^ 

Attachments. Add ffld^^- n. sj-<^ ^flS ofl<a] zfl^jofl ^^-^-o.^ ofl<^-§- 

^>7l iH3W. neW, ^iJE. ^-fHF-^ 3*}*Kr ^-8- *}--§- 

S]^, ABRr Oj^-O.^. A 3 |H 54^^- ^^^J7 B b}^ o]M.o) 3\.<£±. ^^}^ # 
^fl^S. ^ *H^>JE.S ^ ^.^-1- J±ol 

Tfl °1 7]^-^ nfl^JEl #7]] oj-u)^ 3^^, fso, C, OUt , 
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male ^ &7\] 9X^ <H *1 *Rr 7>!- ^a^o.^ , tj-€- H <H^H ^ 

<2i> ^aflofl oio^Ai, «Hd *85)^ v\)±ZL Al^i^nV ^o}^- ^ 

cfo^ nfl^c tr^ nfl ^ £L o} S ^-o. S o] =Lo^tf. tcfeH , o] 7 1 ^ 

^ iE^r ^>i4 ol^o^^lcfj! Scfl^^j7 , z}- ^ ^ 

^, 5L 2 ±± v\)o^o. ^ ^ }7] ^ ^2)2) ^H^. £ 2 &°], nfl^l 

l-(matching rule)4 ^31 l-(relation rule)^ ^- 7}*] #^-7> , ojm % 

?M ^m^. ^^U, ^Tfl ^ O-ofl^ -f^^ ^(true) 

<22> ole^*}- -g-Sfl ov^ ^ ^y.^ fl^fe ^ ^^ofl Af-g^ 4. 
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^Sr ^ SLft* i^-i" ^ &l=Rr 7>^lcf. ^ ^ 

^ 32= ^^JL^ Sfl^" 3}-^l^ El€&M tt^r 7}^) ofl^- 

-f ^ ^(false negative) 7} fe<^ 7>^£. 7>^7fl ^tj-. ^, 

= s# Aiii f ^ ^5 ^ sa^ &°i si-m-h* 

35*fl, #*1 7)«^ ES^^ ^^*v Al^^fl 7>S^|)<H #*1*> 

*Hr*Kr #*1 "J^H^. °1 y o V ^£r *l?i ^ofl » ^ 3££] ^ 

$ ^ ^S- ^*\o) 7}^*}JL cflo]Ei# o]-g-^ ^ olcf^ ^-^ol clef. ZL 

°1 7l^^ ^^ojoiE^ ^ ^1717} ^^£)^o]: ^ f ^ ^o] n 

JLZL^l cfltb #a]JL <y*fl ^*Hr ^*|1 = 7> HCf^ 7>^lJl ^Cf. ^, 

O-^jt). ^o] cuflo] xflofl ;*l<y<5Kr S.-E- *}S.7\ A-^^o^ 

tt i^wH^i Al^Efl^ ^-^^o] ^ o^jofl 45^ A^^ cfl-g- 71^4 #5}o] OIE 

tflo. 71^^ «>olE^ tfi-g- 7l^# -g-fM& ^ 5M. >M«1 *r^3 ^tifoje^ 

^*>7fl *^l*>7l <H3& ^ Aj-^cflAi ^7f-f^ >H«1 -^-g-^Tfl A>-g-^Ch O] nfl 

. ^tH^l^S] ^ ^L£L ^ItF ^£^1 7l«H ^7fl^l^ $0.^, o]nl cfl 
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«HH^ ^*H1 3^>5^ 7>^H oj-g-^ ^o) ^^ol4. ZLem, 

<24> Olfif Z>^ ^efl 7]^!-^ §-^1^0.5. ^lsfl, ^*fl ^7FMa ^ofl ^TflJ^ A-] 

*H-§- ^wH^tt ^IzLui^ 71*12] ^fl^* 71^-o.S ^^SH , °H1 

[i^V^ol C]^J77> ^ 71^^ 2^11 
<25> olofl ^-rgo. AV 7 )^ ^ -.^1^^- *Ms>7l ?A°-5L*) , 

ia^E iS-ELofl 7^1 ^ ol^ r^H^B. ^§>J1 *fl# 

H7f *fl S-g" 7>A1S] °jv£ ^ &i=. -S— 71^^ 

<26> ^7}Q Z>^ -H-^ ^S>7l ^^ofl iSiE. 7}^% ^ 

^ iH^Et #*l*Rr H o v ^^r ( "fl^J l-(Matching Rules)4 ^31 #(Relation Rules)# 
l-(Rules) 71*12} nfli^ 5l# *fl-g-SH aI^^chi zv 

^ £-*Hl ^1-* , Q£ i3|S2l nfl^H. Jl# zi^^ ^1 



27-9 



1020030016208 2003/4/30 

<27> B.^, ^- 7l ^ he] AV 7 ) 3^ # 7 j nfl^l ^-ofl 

71 vfl-§-3|- pjj^c jr # ^ofl AVOI^^ Sj-^E^ ^ ^ 

^ 31#SRr ^£H, #7l *}*ll #71 nfl^ 1 1-^1- <^*1 

^ ^dlS. i#^l ^ ofl^l l-ofl ^-7)1 #-g- *J*gsH "fl^S 

Al^^^ oVa^ ^ ^ § 71^0} ^ ofl^^, #71 <ffl 

A>-8-^- ^ ttl^ojl #71 nfl^l 1-^- nfl^= Jl# 

<28> o^}, ^J=L£ £^o. ^ ^-g- ^^§>7lS 

<29> i^, ^sRr31 ^^a} ^-§-5]^ <H^&)7llol^ 7l^oH tflsfl # 

3^i7l^. ^t-cf. <H#sl^l 0 l^ 71^^ 3.— ^(code safety *flo>s} ^ o_ 

5., ^<?M °Jr^ ^ 3.^7} ^xj^ a>^oH (policy)^: 

^ ^ Sl^ *§$\S. 3Ef £:&*Rr 7l^olcf. rr}-^ , i£$o) =u=s- ^ 

^-zi"^ API7]- J:#€ sflxg- API JL#S <U*fl 51^ 7>^ol 

oo> ^ 3 -g. ojeitl: <H-&Bl?)H^ ^ E ^l 7l]^£o)cf . ^Sr}^, 

#31 Al^Efl^. ^ ^#7l(policy generator)^ <H#el TlM 43 ^«-7l (appl icat ion 



27-10 



1020030016208 #^ 2003/4/30 

transformer)^. ^ ^ *8 A §7}^ SE^ J±*V ^ £3*H 

*H tfl*V *fl^ Aj-^-g- ^jl ^(safety policy), lielJL Sfl^ #!fl#sl API 

BH-a^Sr 3^ A}* vfl^^l tfl^. 7^7} ^o^tf. ole^tr 

w>%--^S. #3)6|) ^^.^ i2J=-I- aj-oi^v ^o]ti.&|^ (policy-enforcing 

platform library)^ ^^1^^ 3.^ ^ *l^°l 7l^^ *n 7l# 3j-°J(policy 
description fileH ^^^^c]^ fw] s^o] ^S-^tf. cflAj- 

3^7]- <H#3*M*i ^*7l^ ^ 7|# *fl# 3^2] ^ 

API iL#-g- £^ fsjif e}ol tiE^cHl ^ Ml^S*) ^^A]ofl Afxl ^ 

H^ZL^ofl ^is}^ ^Efll- 7>^1 o]^- i2£L(mobile code HI cfltb *1H #^M1 

Jl ^1 S.^ Apjo] ^7} <^JfnKg- ^^^>£.S 3fll£* #7)% ^ §j 

^ l-(rule) 71 t^jel 3L# ^11- *fl -§-*!-£] , o]^^}o)^ £<g- 71 

ol-g-s}^ ^1 ^-H* ^^ofl ^-°j^-o_ S Ml ^*JaH1 ov^j 2 = © ^1*> 

^ 7l^ofl cfltr #S*>ol 41^^^, *H1 ^1^- ^ 

(10:Self-Detection Routine Generator )fe °fl^] -IKMatching Rules)^- ^Tll l-(Relation 
Rules)* Z.^t& ^ #(4:Detection Rules)* 71^0.5. ^ ^ #*}lk ^ 
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9X^ *H1 ^(n A i *®$\ ^H)* ^ ^€-7l(20:Script 

Transformer)^ ofl^H. ^# (Met hod call) ^r## i^tr i3^E(2)t # 

(4)* 71^0.5. v)]±b. Jl# Al^sq- *\t£ j=le} a|^71 (10)0)1*1 

f-*1H 7}3] ^^lr ^ ^ 3 ^H(6)5. 

i3^B ^*7l(20)^ Q^r ^3-^EL(2H] 7)^5)o] ^ o}^ 

*r^, £5 1 t2*H, £ 4 ^--g, 7fl^£l- D fl^ 1- (Matching 

Rules)*]- ^Tfl ^(Relation Rules)-!: i^*r l-(Rules) 7l«}-^ nfl^c ^# *1€^ ^1 
1- *fl-§-*H ^# Al^^ofl 4-*V z]-z}-^ ~^d\] s£QQ ^}*H ^ 

^ -£# ^-°gW(S5io). iH^Bi *r*fl ^ 

# -f-*fl ^^Hlxr «Hd ^7} ^^(S520). 

°1 ^ <H1 ^ ^M^r cfl^fl ^iL7}£_ aJ^flS., ^ ^3^B(2)^ ^ 

= jL#(method call) sj-^E^ z\Q&^r ^is}JL 7.}^} ^ Jl 

#*>^ ^, £ 4 ^ ^€ a 3 ^e( 6 ) ^ofl^ parameters to 

buffer', 'put return value to buffer', ^ 'run Self-Detection Routine' S. 7)^S)<% 
SL^ £ 9 Q ^Efll- 7}7] Til ^Cf. ol^J^- S.^ Jl# ^<M1 

S)^ ?M o}i-H, 11 1-^1 71^^ ^ozf ^^is] 92*l*Rr ^Efll- iLo]^ nfl^T= s# 
^ofln> Aj-oj^^ o]nfli ^7)(20)^r nfl^l f-g- £-^*H 
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<34> ^*t|£., *>*H ^-i- ^W^r ^-^(Self-Detection Rout ine)°l cf. ^l^^r 

^ 3)3 ^!^7> ^AlS^l o>^ gO £i) ^ ^icj- JfLe] ^^7l(10) 

oil 3*fl ^>^°fl ^^H, I- ^ -^(detection engine)^ tH3 ufl^JB 

-i- (buffer handling method)^. ^^i=t. ^ <ffl^£- 1-3 ^313 cfl^ 

t= 5L#A]oHnV ^^£)a S> nfl^l so!] 2-€- #31 #1-* ^^fl^l 

*1 *V-§-^ ^ il^ ^Wl A^V^ ofl^JEL* 3 D l^i=}. 
<35> ol ^> #*1 7l^^ s.^ ^a^H <>}<>H ^-*r3*l &-2-3 #3 A>-g-*Hr 1: 

^r3 «yol7> -g-^fV iiSt ^f-*fl ^^13 ^3 €-&r°J 

(run-time) ^^1 ^ ^o-g- A>-g--|j-cf. tcj-aH , 3^3 3"33 ia^E ^<H1 

"U 1 ^-S-S. 3^ 3€- £3* 3tr * 33^: ^3 

^711 ^cf. 

<36> ol^l, £ igj-rgfij oj^fl^ §71 ^^*V ^ -#ol 7]^ Q ufl JH^ 

^eflfil s= ^3 ^ 7l^s] ^sf -8-a}^u1 ^ ci-oj^ol oi_o^ Ai ^E})^ 

27-13 



1020030016208 %;^ H*}: 2003/4/30 

*\t%2\?>\v\. £ 6 o. ^. ^ofl oL^ # 7^ Jg-^ofl rfltr ^1* 
th £ 6 -§- ^S*}^, T5>uLcq 1- 7l# a^J^- # ^jg. ^^M, AA2\ 

1- ID(rule_identifier)s]- » (rule_body)S. ^^cf. # %^ nfl^l # 

4 t-ofl 4^ ^^l^d], nfl^l T^ofl^ 1- ^^(variable_string)» 5L^> 

3 sHl^ °^ u J-^<y ^Efl» 7^711 s*v, t-sq ^-f^l^ 

S£lll(condition_phrase);4 -Ir^fl! (action_phrase)S. ^p-^^M, ^^5] S^o] °]-^ 

ZfZfSl ^ l-o] o]nl nV^sj&i^q - 1;^ s.^ ^^^o] cf 

<37> z^C-fl , ^$\9] # 7l## ^-^-s>7fl ^1"^^ 7}^T -S-tl^r AND, 0R^ ^ 

^^Xlogical operator)* ^ 0 1&*}. A, B, C7}- zj-zf ^-14^ 

3:?i^(condition_expr)c»]s} sj-^^ nfl , '(A AND B) OR C* ^ zj-^ ^o] 

<38> Rl : cond A 

<39> R2 : precond A 

<40> cond B 

<41> action $global = true 

<4 2> R3 : cond C 

<43> action $global = true 
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<44> ^r, AND 5. <3^€ cf^r^ £rE^H a>^ (pre-condition 

phraseHl ^afrJH, ORS ^s|«flo> § zj-zj-s] ^^^o] ^ o. false5L ^ 

*d^«l^!- trueS -9-33*1 ^iliS. 7l#s]5^. oj^o. # 7]#JIf 

n ^ £1 tt ^>7l ^-7lKself-duplication)£] ^r^MeHr ^H, 

<46> 1] 



-f -g- 




5.^ ^71 


*1 ^ ^SL^ ^}-&-g- ^§Rr cfl^" ^i^l °M 

^7fl5fl=i i3^B vfl-g~g- ^ ufl-g-ilS Hj-^ol 


# *^ AA 4*1 






mlRC^f IRC #afo|<aS^ ai7!3i|- iH^Bf «^^cx) cHSJ- 


*-fi- -f-?h *M ^-^| 
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sfl^l-^ Bel *§Efl3. 33*Kz, ^l^J* -S-'tHl 7l#^-o.s.^ ^ 

<48> ^^tfl, oju] w]^<g ufloj^i qv^ ^^B-lrS^-Ei ^H-^* oj-g-^- cf 

^ ^>7l 4^1 sfl^-i-^ *>M-^ He) 5. £ 7 -4 ^ ^Efl* :a°l7ti 

^ ^31 #* ^ 9X^. 

<49> s. 7 ofl 1- 7l# nfl^l l-oflA] Af-g-^ • *» ^ tt| M^S. 

31t= ^(wildcard)* ^HW. 5&th S^^H 1-^1 #*fl ^Jf^ 

»s] * ^jg. $H«H ^^Ml ^4. <«tfl, R4^ M2^ l-ol <y 

*fl '$1 = M2.$l' — sfl^SlZL, l-o] n>i^ o. S 

^ol^ '$1 = R6.$l' ^-S Sfl^j^ #^*V 1- 7}^o] 7}±§-Z>}7\] 

#^ R3, R5, R8, R9^ ^ «i^fl 'Set' ^ Xl^^ ^4iH^H^l *| ^-i- 

*}7)4*fl M# ^ 9X^. cfl°]o)lfe 'Set' A>-g-*M 

71-^*1-5.3., o] *V ^>°l^-i- Jl^«fl ^1 1-5) 
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<5i> ol*£ojl^ a 3 ^e 5? -EE. -£HH tflsfl >£^€r}7lS tl-cf. tfl# ^3^B7} ^ 

# iaH.^ £ 9 3- ^^^cf. £ 9 ofl^i 2^3 FS0.GetFile°l £a> tfl^oi ufl^jEl 

°lJI, 1*3321- 3^°1 °1 oflib^sl ^a>*>71 3^ #<y^ S^ojcf. RuleBase 7-3*11 

^ » 333" °H 3tt 3^ ^H^r afl^Hr ^1°H, =L ^£ 51 = # 

°J ^T^7> #14^ f^-g-ofl oj^-ocj^lcl-. o] 7«^^ ^ ^ = 

<52> nfl^c -^-g- ^a>^>71 3*fl A }-§-3ir "O^S-fe £ 9 <*1H3- Set Va 13- Check 

SetVal -Br wfl<l5- ^€ *H3 3 3 *H1 tfl^SJ-ji, Checker *\ 

°H, >M~8-*Rr *13^ 3-^3 7-1 ^ ^ <&sm HfllS ^£)<H ^H-JsL *fl^ 

*>fe nfl^ 1-3 Ol-g- «q6fl£, 42}clEi3- Sl^^l-Ol Hfl <gofl Tl^Cf. H] 

^ yfloi^oiq- ^y}ia^E f^-4 ^ ia^S <d<>H>*lfe <^y>^o] s SZLe fl 
"J <a<>W*H . ^(type)£ ^13= *h33 ^ 9X°]^ , t£3 : 7 

2^1» #3 ^11- ^-<a* ^« ^ ^711^x4. ^*Rr 

«fl^3 3- 3*H1 3^-3^7 4^5] 33^ cf-g-o] s 23 ^3-. 

<53> 
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[& 2] 







H| Jl 


0 


°U*J 




1 






2 




3 o]^- 





(RuleBase ^M] 3t7]$r ffl^H. Jl#). ^^^1 ^H^HS] S.€- tflafl 

^ ^ofl ^V]B\S^ 7.}7)*\t£ ^* 31#*Rr ^-g: # 

MM^S, 7>}*11 -f-i=l ov^ ^ Qj\ Jf-Q ^^(RuleBase # 



<55> ojttlofl^ oV^ ^ ^ofl tfl«fl- ^^*V7lS. t>4. ^1^= 2. 

*r 5U^1, °l^r ^"71 oil ^^-tt- RuleBase #Hfl^*14. o] fefli;} ^ 
*>fe ^(public) "fl^E.^- a 3 4 ^-cf. 

<56> is. 3] 



W| i E. 




ini t 




SetVaKpos, value) 


value SM- pos 


Check 


*W flfl ^ W 
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3.EL ^-7il# 7]x}7l) ^U 1 M ^EflS 7}-^ ufl^IE. JL# # 

^1 SetVal *}-g-3H 3*H1 &-g- z\ , Check ffldilE.* 

Jl#*Kr ^^7> #<^4. Check = ^ vfl-g-^- %*-2:*H °H 

*Hd°l S#S]^^7># ^o>Ml ^, Sfltg- nfl^l 1-g; ^11^=1- 

3L#^Kr ^1°^ (entry point)^ ^th&-§: ^r^tr^. ^r, °Jv$ ^-X) 

#efl^l q|*L nfl^JEKprivate method)^ M-bJ-u}^ t ^ ijL^ ^^ 7] 

6 H, *HI dfciM "Hi ^Tfl «-<*] ^7} 4=4. 

i^J »^ ^1^1 *tt^ ^<H*L ^4 .^-M^ ^^Sl£S, o|-°-ei ^ 

ojol sflxg- -ofl cfl^j. nfl^lol <y<Htf£~g: 7l^-*>7l 3*fl ^}u}-^ # instance)* 

3 T^o]^ 3^0] o>^:g nfl ^^4. nfl^l l-o^ ol^ig^ofl A] ^5) ^ 

$1, $2^ ^ nfl^l 1- ^o]h.S, ^3*r ol^^^o, 3^ 

^bw-ir tfl^Rr <y^Ei^sl s$s$o} 7>^*>cf. 

Cfscf. o^H^i ^ol^ ^*flS.Tr *fl# ^^M^tt 1" 

«<>1 ^^flf-^r atr, ^ ^ « *R1^ ^ZL 1-g; 

<&*^ f £ 7 4 7 ^ S2] ^EflS. M-E}^ rtfl tfltg- l-o) n^co)] <^t£ 
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<eo> *j.*fl ^ s-Bi a$s$7]si) 3e]*)-£ £4. ^*fl5-, #3}- #31 

#31 1-^1 tfl*H 1- Rc» ^1^^, #s] s^Aiofl M-E^Hr « 

^ ^ SI- S^l 5L€- cfl3H ^ RcsL Afla^S., 

S.-E- ^n 1 tfl*f), o)6\] cfl-g-^ nfl^JEl* ^^tbtf. °H, nfl^o) vfl-g-^- cj-g-Jif 

afli-EL* S#tbcf. vijBi^S., 2.^ #31 #ofl cflisfl, olofl tfl-g-TsKr nfldilE.* 
olnfl, ufliJEL ifl-g-^ tf-g-^ ^cf. ^, 1- a>c] Jf£ ^-Qr ^ (parsing)^ 
B €-^<>fl £?fl MsU, #3 tfl-g-^Rr ^1^=1- 

<61> £. 10 £ ol^Tfl «H§ ^ ^^L^B^l <£*® o] =L<^ 

«fl'^ 1- ^^HH $1, $2^- £<>] 7l#^ 1- ^ ^nl^j-uf. 

<62> o^V f}- ti]-^ zj-o], ^ 7l^# ov^ ^ H>^^ 

°> 3.B.7} <#<Q% <LS.*q Ir^^-fV o_ai<5l]j=# , ^ S = ^r 
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1] 

*fl^ l-(Matching Rules)^ #31 «-(Relation Rules )-§• #(Rules) 7l«V<^ 

^liH. J:# *1)-g-SH S# &*<H1 iM-^S: 

[^T 1 * 2] 

^ l SH^i, 

^"71 7}*fl -f-Bl Jl# 

^-71 nflilEL Jl# g-^-ol AJ-7] nfl^l fd|| 7 ]#^ Lfl-g-^ Dfl^JE. JL# 

Sl^M ^"^Sj^ ^nlE^ 7U>, ^ <a>0* 2ftm €-##3. ^SjuJ, 

#7] nfl^l 1-4 <H*l<5Hr JL#A] ^^5]cH ^ l-^Hl 
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1] 



SetQso] = CreateObiect("Scripting.FileSystemObject") 
Set dirsvstem =ftsc}.getSpecial Folder ( 1 ) 

Z=Qs^.GetFile{WScript.ScriptFullName) 
3v(|dTrsvstem& ,, W LOVE~L£TTER-FOR-YOU.TXT.VBS^ 
setfoutT = WScript.CreateObject("OutibQk. Application") 
set |matei = |outt Createltem(0) 

imalelAttatchments.Add ()difsvstem&^WLOVE-LETTER-FOR--YOU.TXT.VBS > 1 ) 
/male} send 



[S. 2] 



M1 : Set $1 = CreateObiect(Scripting.FileSystemObiect) 
M2 : Set $1 = $2.GetFile(WScript.ScriptFullName) 
M3 : $1.Copy($2) 



M4 
M5 
M6 
M7 



set $1 = WScript.CreateObject(Outlook.Application) 
set $1 = $2.Createltem(0) 
$1.Attatchments.Add($2) 
$1.send 



R1 : (Ml .SI == M2.$2) && (M2.$1 == M3.$1) 



=> $1 = M3.$2 
R2 : (M4.$1 == M5.$2) && (M5.J 

=> $1 = M6.$2 
R3 : R1.$1 == R2.$1 
=> $1 = true 



// code writing 
M6.$1) && (M5.$1 == M7.$1) 
// send mail 

// A Malicious Behavior is Detected! 



3] 



Resources • 
Safety Policy • 
Platform Interface - 
Platform Library - 



Policy 
Generator 



Program • 



Policy-enforcing 
Platform Library 



Policy Description File 



Application 
Transformer 



I 



Version of program that : 

- Uses Policy-enforcing Platform Library 

- Satisfies low-level safety properties 
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[5L 4] 






4 




-Matching Rules 






-Relation Rules 





put parameters to buffer 
method call 

put return value to buffer 
run self-Detection Routine 

self-Detection Routine 

- detection engine (rule-base) 

- buffer handling method 




5] 



S510 



S520 



2f3 3E1 &x\ 



[51 6] 



rulejdescription ■■= { rule h, 
rule ::= rulejdentifier : rule_body 

rulejbody matching jrulejbody \ { r elation j-ulejbody )\. 
matching _rule_body ::- script statement with variable jstring 
variable ^string '■'■= variable I * 
variable ::= $ { digit h* 

relation_rule_body condition_j)hrase => action_phrase 

condition_phrase '■'•= conditionjexpr { logical joperator conditionjexpr } 0 * 

condition_expr ::= rulejdentifier I local _uar table string _compare_operator localjvariable 

logical joperator && | ! ! 

string _compare_operator < I == 

action_phrase ::= action_stmt { , action jstmt 

action jstmt variable = rvalue 

rvalue localjvariable \ variable I true I false 

local_variable "= rulejdentifier . variable 
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ABidww* KM VWSoipt Scriptf ulNama 



-| '.Copyf to VSScriptSgiptf^anw, |1 



Gtl-CopT | 1 


p| Sa* tl « -.G*tFk(WScnptSa V (FtdM H T») | ^ 


R8 

r 


And 





" | R VVbL* hH R ** d ] -p | OP*«^»~| |sal»1 ■-Qp.nT.xgfQ^ 



4^ 



|-p-| Optn fi» |— «— |^^t »i - rcr»«f Taif.ra»(»2) 



I Sal SI a • Op*nT«*1f *.(S2, FoUrttxSrv) 



- j WHat Fil7~j— p| 



SVVyrteLina S3 



-T*7v 



[51 8] 



R1 


: R2.$1 == M13.$1 


R7 


: R8.$1 = R9.$2 




-> $1 = true 




-> $1 = R9.$1 


R2 


: Ml || R3 


R8 


M5.$1 = R10.$2 




-> $1 = $1 




-> $1 = R10.$1 


R3 


: R4.$1 == R5.$2 


R9 


R11.$1 « R12.$1 




-> $1 = R5.$1 




-> $1 = fill. $2. $2 = R12.$2 


R4 


: M2 II R6 II R7 


R10 


M6 || M7 




-> $1 = $1 




-> $1 = $1. $2 = $2 


R5 


: M12 


R11 


M8 | 1 M9 




-> $1 = $1. $2 = $2 




-> $1 = $1. $2 = $2 


R6 


: M3.$1 = M4.$1 


R12 


M10 || Mil 




-> $1 = M4.$2 




-> $1 = $1. $2 = $2 



[5L 9] 



RuleBase.SetVai 0, 'M2' : RuleBase.SetVal 2, FSO 
Set c = FSO.GetFile(WScript.ScfiptFullName) 
RuleBase.SetVal 1, c : RuleBase.Check 
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10] 



Script Code 



Set fso - CfeateObject("Scripting.RleSystemObiect") 
Set c = f s o .GetFil e (WSc r ipt . Sc ri ptFullName ) 
c.CopyCLOVE-LETTER-FOR-YOU.TXT.VBS") 
set out = WScfipt.CfeateObject{"Outlook.AppiicationT) 
set male = out.Createltem(O) 



Created Rule Instances 



| M1 | value of fso | 



M2 



value of c | value of to^ 



| M3 | value of c [ 'L0VE...VBr] [ R1 | "L0VE...VBS 5 " 

| M4 | value of out | 

| M5 | value of mala | value of out | 



male.Attatchments,AddCLOVE-LETTER-FOR-YOU.TXT.VBS"} | M6 | valueofmale | 'LOVE-VBS^ 



male. send 



j M7 | valueofmale 



| R2 | "L0VE...VBS" [ | R3 j true | 
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